How can you safely adopt cloud apps? Are cloud apps creating a security risk for your organization? What do you do if you have a risky employee or volunteer? How do you protect yourself against bad actors and malware? What happens if a cloud service is compromised; how do you protect your assets at rest there?
Cloud apps are great for productivity, and they are easy to use, but you need to be aware of the security risks that come along with them.
Security for cloud apps is a shared responsibility. Your cloud app provider will secure its application and infrastructure against attack, but it is not responsible for what your users do within your accounts in these cloud apps. You are responsible for setting up security controls for accessing cloud apps as well as educating your users on safety in the cloud.
Welcome to the Cloud Generation. Here are five things to do to help protect your nonprofit.
Step 1: Do an Inventory on Cloud Apps
Find out what cloud apps are being used by members of your organization. If you don't know an app is being used, it is Shadow IT.
In this case, Shadow IT would be cloud apps used by employees or volunteers when those apps do not have any IT security oversight. Knowing which cloud apps your employees are using is a key first step for cloud security and compliance.
Every organization underestimates the number of cloud apps they are using. A large organization should do full discovery using a Cloud Access Security Broker (CASB). On average, a typical enterprise organization will find they are using more than 1,200 cloud applications.
Small organizations that don't have IT resources to use a CASB can start by surveying their employees and volunteers to find out what apps they use. And remember, any cloud service that processes or stores data for you, even a simple PDF converter on the web, counts as a cloud app.
Step 2: Avoid File-Sharing Mistakes
In the last Shadow Data Report, Symantec found that 29 percent of emails and attachments and 13 percent of all files stored in the cloud are broadly shared and at risk of leakage.
Here's a typical example. An employee creates a Microsoft Office 365, Google Drive, Box, or Dropbox account. Then the employee uploads a file with confidential data and shares that link with someone outside the organization who doesn't have an account with that file-sharing service. So the cloud service helpfully offers a link accessible by anyone with the link.
Then your employee selects that link and sends it to a partner or vendor or whoever they think needs the data. Although this scenario may seem innocuous, that link is a public link and can be a security threat to your organization.
The file access link can be discovered via a web crawler that is searching for a certain list of terms. Malicious outsiders do this often, in search of the "low-hanging fruit" of discovery about a company. It's important to remind employees in regular training about leaving files in the cloud for longer than absolutely necessary. You want them to close the loop between file drop-off and file pickup by an outside party.
Be careful with files that contain confidential information. Large organizations should implement a CASB with data loss prevention (DLP) to automatically identify confidential files and apply security controls to protect them.
Small organizations may not be able to use a CASB. However, they can implement some simple techniques such as clearly labeling any file with confidential content by including "confidential" or "private" in the file name. They can also use a "confidential" watermark in the file to make it obvious to anyone using it that they are handling confidential information. Nothing is too obvious when it comes to labeling data files for security.
Every organization should train their employees and volunteers on what to do and what not to do when handling confidential content. For example: don't share confidential files using a public link.
Step 3: Identify High-Risk Employees
High-risk employees have many characteristics, some virtual and some physical. A high-risk employee uses the same password on all their accounts. A high-risk employee moves confidential data out of the organization's system and into personal email accounts to do work at home or while they are traveling. A high-risk employee doesn't password-lock their computer or mobile device and leaves their device open when they walk away.
When dealing with high-risk employees, large organizations can use CASB technology to prevent data exposures, control access and sharing, and monitor high-risk activity actions. Even small organizations without dedicated IT resources can use the built-in security capabilities that come with cloud apps such as Microsoft Office 365, Google Workspace, Box, or Dropbox. Make sure you also educate your users on what is low-risk versus high-risk behavior — organizations of any size can do this.
For your official cloud apps, make sure employees are using accounts dedicated to the organization, rather than a mix of personal and professional accounts. Don't make it hard for your employees to maintain remote access; you want them accessing private data in the cloud systems you are monitoring rather than on their unmonitored personal accounts.
Finally, get an identity management solution and multifactor authentication. If you are a small organization, you can at least get all your people using a password management program. You may already have this capability in your endpoint protection, but if you don't, there are very inexpensive consumer products available for this.
Step 4: Beware of Bad Actors
Easily guessed logins or unsecured login data help hackers and malware access cloud apps to get access to confidential data. A disgruntled employee or volunteer may divulge sensitive data, download malware, send out confidential information, or delete data prior to leaving a company.
What can you do about bad actors? You can protect your endpoints against malware, so that infection doesn't affect your user group or other systems. You can mandate strong passwords and automate quarterly changes. (This alone can prevent a malicious insider from logging back in to your accounts after they've gone to a competitor.)
Take advantage of multifactor authentication everywhere that you can. A good CASB will detect malicious user activity in a cloud app. And finally, make sure there's a standard checklist for exiting employees and volunteers in every role to turn off access and delete data.
Step 5: Stay Alert About Data Breaches
You see articles in the news every day about cloud apps vendors being breached. If one of your organization's cloud services hits the news, it should send you an email or a notification about your data, especially if your data may have been compromised.
If one of your cloud apps is breached, notify all employees to change all of their passwords for that app right away. Then take a look at what data your organization has in that cloud app and ask if it would be a problem if it were exposed.
If you have confidential data involved in one of these big breaches and it belongs to your clients, sponsors, or constituents, you may be required to notify them. (Involve your legal or IT security team members in this discussion prior to notification, and ask their advice.)
After you've done this, you should evaluate whether you want to continue using this cloud app; there may be a more secure cloud app out there that can perform the same function for you. Organizations with a CASB can easily do a security comparison on similar cloud apps to help make this decision.
Cloud apps improve your workflow, reduce your spending, and make you a more efficient organization. However, it's important to be aware of the risks, get informed about your options in monitoring, and plan your responses.
Additional Resources: Nonprofit Security in the Cloud
- Watch our free webinar, Is the Cloud Safe? Ensuring Security in the Cloud.
- Find out: What Is a CASB?
- Read about cloud app adoption, use, and risks in the Symantec 2018 Shadow Data Report.
- Learn more about Symantec security: